Cambridge Analytica and the Repercussions for GDPR

Anybody with even a passing interest in the news has to be aware of the recent revelations involving Facebook and a certain analytics firm with the name of a prestigious university in its title.

The repercussions have been fierce: Not only has Cambridge Analytica suspended its CEO, Facebook’s stock prices have dropped by 10 percent—and that’s only in recent days.

Who knows what the next few weeks, months or even years will bring, but there’s no doubt in my mind that the Cambridge Analytica scandal is just the tip of the iceberg.

Perhaps the most striking thing about this whole situation is the fact that people with links to Facebook’s inner circle—including its former head of security and the co-founder of WhatsApp—have vocally denounced the company in the wake of the news stories.

Governments, too, are taking a hard line, with MPs in the United Kingdom demanding that Facebook CEO Mark Zuckerberg and chief operating officer Sheryl Sandberg appear in front of them to explain their role in exposing the data of millions of users, and officials in the European Union requesting an explanation from Facebook as to how this was able to occur in the first place.

As if that weren’t enough, it was discovered that Facebook had also been collecting the data from users’ phone calls and text messages.

One person, upon downloading a file containing all of the information collected by Facebook on him over the years, found that the company had retained a detailed history of the phone calls he had made in the past two years, including phone numbers, names and the length of time for each call. In some cases, Facebook was collecting this information without explicit consent from users, instead taking advantage of the way that Android granted permissions to applications that accessed call logs.

A spokesperson for Facebook took pains to emphasize that any uploading of information relating to your contacts is “optional.” In a statement to The Guardian, the spokesperson said, “People are expressly asked if they want to give permission to upload their contacts from their phone—it’s explained right there in the apps when you get started.” And in a blog post purporting to fact-check the news articles, Facebook made sure to highlight the fact that this feature “has always been opt-in only,” and that people have the ability to turn it off in their settings, which then triggers the deletion of “all previously shared call and text history shared via” Messenger or Facebook Lite.

Ignoring the fact that Facebook’s statement is unclear as to whether or not contact information continues to be stored even after the rest is deleted, it’s undeniable that Facebook’s attitude toward the collection of user data has been cavalier at best, and invasive at worst. By arguing that users should have known what they were getting into because it was all there in the terms of service,Facebook is, however inadvertently, making the case for an expansion of GDPR(General Data Protection Regulation) beyond the borders of the EU.

One of the fundamental tenets of GDPR is to empower users to give their consent willingly, and with full knowledge of how their information will be used and for what purpose. To that end, the regulations prohibit companies from using “long illegible terms and conditions full of legalese,” instead requiring “an intelligible and easily accessible form” that states the reason for data collection clearly and makes it “as easy to withdraw consent as it is to give it.”

Ultimately, the reason for the furor surrounding Cambridge Analytica boils down to the fact that the 50 million people whose data was harvested did not give their consent for the company to use their information. Of those 50 million people, only 270,000 had consented to having their data collected. The other astounding thing is that Facebook had been aware of Cambridge Analytica’s improper collection of user data since 2015, yet did nothing to notify the users who had been affected.

It’s situations like these that strengthen the case for GDPR.

“Consumers expect their data to be used within the context it was collected or by entities with whom they have a relationship,” says Jason Kint, CEO of publisher trade association Digital Content Next, “but they don’t expect their data to be set out like a buffet at the Golden Corral, where anyone can walk in off the street and help themselves.”

Even if governments aren’t willing to take advantage of the moment to push for stronger privacy laws, consumers have begun to signal their distaste for companies that take advantage of lax regulations to collect as much data as they can get their hands on. And they’re taking action the best way they know how: By removing their data from the organizations who depend on it.